S1248 XORIndex Loader
XORIndex Loader is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. XORIndex Loader was first reported in June 2025. XORIndex Loader has been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. XORIndex Loader has been delivered to victims through code repository sites utilizing typo squatting naming conventions of various npm packages.1
| Item | Value |
|---|---|
| ID | S1248 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 October 2025 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | XORIndex Loader has used HTTPS POST to communicate with C2.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.007 | JavaScript | XORIndex Loader has executed malicious JavaScript code.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | XORIndex Loader can decode its payload prior to execution.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | XORIndex Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers.1 |
| enterprise | T1105 | Ingress Tool Transfer | XORIndex Loader has been used to download a malicious payload to include BeaverTail.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | XORIndex Loader has leveraged legitimate package names to mimic frequently utilized tools to entice victims to download and execute malicious payloads.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.010 | Command Obfuscation | XORIndex Loader has obfuscated strings using ASCII buffers and TextDecoder.1 |
| enterprise | T1027.013 | Encrypted/Encoded File | XORIndex Loader has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.1 |
| enterprise | T1082 | System Information Discovery | XORIndex Loader has the ability to collect the hostname, OS Username, Geolocation, and OS version of an infected host.1 |
| enterprise | T1614 | System Location Discovery | XORIndex Loader can identify the geographical location of a victim host.1 |
| enterprise | T1016 | System Network Configuration Discovery | XORIndex Loader has leveraged webservices to identify the public IP of the victim host.1 |
| enterprise | T1033 | System Owner/User Discovery | XORIndex Loader has collected the username from the victim host.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1052 | Contagious Interview | 1 |